gnupg with php throws "could not init keylist"

Question

Trying to encrypt mails with gnupg, the method call gnupg::keyinfo() throws the error could not init keylist.

This is how I initialize the extension:

putenv('GPGME_DEBUG=9:./gnupg/debug.log');
putenv('GNUPGHOME=./gnupg/');

$this->gpg = new gnupg();
$this->gpg->seterrormode(gnupg::ERROR_EXCEPTION);

Where gnupg really does exist (calling is_dir('./gnupg') returns true - I've also tried the absolute path without success).

Some additional information:

• the exactly same code DOES work using PHP-CLI. (However, I need it using HTTP)
• I'm using an ubuntu webserver: Linux name 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 GNU/Linux
• gnupg version: gpg --version -> gpg (GnuPG) 1.4.10
• infrastructure: client -> nginx -> apache -> php 5.3
• for testing, I've set the file permissions (recursively): drwxrwxrwx 4 www-data web1 4096 29. Nov 12:30 .

The debug.log shows the following error:

_gpgme_io_set_close_notify (fd=0x282): enter: close_handler=0x7f6d2a409780/0x7f6d38edb730
_gpgme_io_set_close_notify (fd=0x282): error: Invalid argument

The full debug log is uploded here: http://nopaste.penguinfriends.org/view/84317/

Thanks in advance!

Answer 1

I know that I am late to the party, but I would like to share how I solved this issue. First, I tried to execute the script as Apache user (executing it from the command line as my own user works flawlessly, as stated by the OP):

# su -s /bin/bash -c '/usr/bin/php /var/www/html/gnupg.php' www-data

And this is where I obtained the same error. So I tried some things:

• Temporally added a /bin/bash to www-data in /etc/passwd to execute some commands with a proper shell (replace /usr/sbin/nologin by /bin/bash)
• Open an interactive shell as www-data: sudo -u www-data -i
• Generate a keyring with gpg --gen-key (it will create this folder /var/www/.gnupg with proper permissions
• Import your {public,secret} keys
• Remember to restore the /usr/sbin/nologin no-shell to www-data user in /etc/passwd

Now this script works as expected also as www-data :)

<?php

// make sure that this folder is NOT accesible as an URL
putenv("GNUPGHOME=/var/www/.gnupg/");

error_reporting(E_ALL);
$res = gnupg_init();
gnupg_seterrormode($res,GNUPG_ERROR_WARNING);

$info = gnupg_keyinfo($res, '');
echo "Key - Info<pre>";
var_dump($info);
echo "</pre>";

Answer 2

The problem stems from the php5 version of gnupg supports only version 1 of gnupg. However, the debian/ubuntu version of libgpgme11-dev was compiled using gpg version 2.

I wasn't able to find a clean solution using gpg.conf to specify which version of the gpg engine to use. So, I ended up removing (apt-get remove) gpg2 (and libgpgme11-dev) from my system and compiling GPGME from source. Then I reinstalled the php5 gnupg extension and everything was fine.

Answer 3

When you run from the command line, the GNUPGHOME path you specified is relative to your working directory where you are when you run the script. From a web environment you can't rely on a particular working directory so you may need to specify the full absolute path to your gnupg directory. You could, however, specify the path relative to the current script:

putenv('GNUPGHOME='.dirname(__FILE__).'/gnupg');

Also, you shouldn't ever use 777 permissions, especially with programs related to security like ssh and gnupg that may check and refuse, but 775 might have worked.